alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Info Stealer URI Structure"; flow:established,to_server; http.uri; content:"/api/machine/"; startswith; fast_pattern; pcre:"/^(?:sign|init|injections|commands|settings|clipper|screenshot\x2drules|set\x2dcommand)/R"; reference:url,github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt; classtype:command-and-control; sid:2056026; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_09_20, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Critical, tag Stealer, updated_at 2024_09_20;)